The SANS Digital Forensics and Incident Response faculty and community members created the 2012 poster. "Evidence of..." categories to map a specific artifact to the analysis question that it will help to answer. Finding unknown malware is an intimidating process to many, but can be simplified by following some simple steps to help narrow your search. Use this poster as a cheatsheet to help you remember where you can discover key items to an activity for Microsoft Windows systems for intrusions, intellectual property theft, or common cyber-crimes.
Proper digital forensic and incident response analysis is essential to successfully solving complex cases today. Each analyst should examine the artifacts and then analyze the activity that they describe to determine a clear picture of which user was involved, what the user was doing, when they were doing it, and why. The data here will aid you in finding multiple locations that can help substantiate facts related to your casework.
Each of the rows listed will describe a series of artifacts found on a Windows system to help determine if that action occurred. Usually multiple artifacts will be discovered that will all point to the same activity. These locations are a guide to help you focus your analysis in the right areas in Windows that could aid you in answering simple questions.
Created by Rob Lee and the SANS DFIR Faculty
Special thanks for technical review and edits by the following individuals. We couldn't have finished the poster without your great inputs and help.